Glossary of Terms

Glossary

A

﻿﻿Active shooter/hostile intruder - A person who appears to be actively engaged in killing or attempting to kill people in a populated area — typically employing the use of firearms. Learn what to do by checking out this video.

﻿Active collection - For the purposes of the Website Privacy Notices Policy, active collection refers to the gathering of information where a visitor voluntarily provides information such as through a form, or creating a profile, or choosing account settings.

﻿Administrative controls - Methods of controlling employee exposure to hazards by means of operating procedures or work scheduling.

﻿Advisory - A notification category that provides urgent information about an unusual occurrence or threat of an occurrence, but no activation of the notified entity is ordered or expected at that time.

﻿Aggravated assault - An unlawful attack by one person upon another for the purpose of inflicting severe or aggravated bodily injury. This type of assault usually is accompanied by the use of a weapon or by means likely to produce death or great bodily harm. (FBI’s UCR Program Definition)

﻿Alert - A notification category that provides urgent information and indicates that system action may be necessary.

IU-Notify emergency notifications v. crime alerts

IU-Notify emergency notifications use multiple means of communication-- text, email, phone, digital signs -- to warn students and employees of an imminent threat on campus, such as a flash flood or violent intruder.

Crime alerts are intended to warn of certain crimes that represent a serious or on-going threat, such as a string of auto burglaries or a reported sexual assault. Email is the primary method of communication for sharing details of the incident and for offering information that may aid in preventing similar crimes. Read more

﻿All-Clear - A distinct signal or message provided by public safety officials that indicates the specific threat or dangerous situation has ended.

﻿Anti-virus software - According to Wikipedia, antivirus or anti-virus software (often abbreviated as AV), sometimes known as anti-malware software, is computer software used to prevent, detect and remove malicious software. Antivirus software was originally developed to detect and remove computer viruses, hence the name.

﻿Arson - Any willful or malicious burning or attempt to burn, with or without intent to defraud, a dwelling house, public building, motor vehicle or aircraft, personal property of another, etc. (FBI’s UCR Program Definition)

﻿Audiogram - Hearing test.

﻿Authentication – Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. To access most technology services of Indiana University, you must provide such proof of identity. In private and public computer networks (including the Internet), authentication is commonly done through the use of login passwords or passphrases; knowledge of such is assumed to guarantee that the user is authentic. Thus, when you are asked to "authenticate" to a system, it usually means that you enter your username and/or password for that system.

﻿Authorization - In computing systems, authorization is the process of determining which permissions a person or system is supposed to have. In multi-user computing systems, a system administrator defines which users are allowed access to the system, as well as the privileges of use for which they are eligible (e.g., access to file directories, hours of access, amount of allocated storage space). Authorization can be seen as both the preliminary setting of permissions by a system administrator, and the actual checking of the permission values when a user obtains access. Authorization is usually preceded by authentication.

﻿Authorized user - Authorized users are people acting within the scope of a legitimate affiliation with the university, using their assigned and approved credentials (ex. network IDs, passwords, or other access codes) and privileges, to gain approved access to university information technology resources. A person acting outside of a legitimate affiliation with the university or outside the scope of their approved access to university information technology resources is considered an unauthorized user.

﻿ Autorun - A feature in personal computers that runs a program on a CD/DVD or USB drive. AutoRun is considered a security risk because a virus could be unleashed when the medium is inserted, which is why it is no longer the default in Windows. The Mac AutoStart equivalent was also dropped in Mac OS X. (PCMAG definition)

B

﻿Background check - A background check is the process of looking up and compiling criminal records, commercial records and financial records of an individual or an organization.

﻿Best practice - Best practices are comprised of one or more general statements or recommendations detailing procedural or technology approaches to following or implementing policy. In contrast to procedures and standards, best practices are not requirements to be met, although they are strongly recommended. (See also Guideline.)

﻿Bloodborne pathogens – Pathogenic microorganisms that are present in human blood and can cause disease in humans. These include, but are not limited to, hepatitis B virus (HBV) and human immunodeficiency virus (HIV).

﻿Board of Trustees - For the purposes of information security and privacy governance, the Board of Trustees is a Role Title. The Board is Indiana University's governing board, legal owner, and final authority, and the owner of all information, except information excluded from university ownership as set forth in the Indiana University Policy on Intellectual Property. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)

﻿Breach - The acquisition, access, use, or disclosure of information in a manner not permitted under existing law which compromises the security or privacy of the information (i.e. poses a significant risk of financial, reputational, or other harm to the individual and/or university).

﻿Burglary - The unlawful entry of a structure to commit a felony or a theft. For reporting purposes this definition includes: unlawful entry with intent to commit a larceny or felony; breaking and entering with intent to commit a larceny; housebreaking; safecracking; and all attempts to commit any of the aforementioned. (FBI’s UCR Program Definition)

﻿Business continuity plan – Business continuity planning (BCP) is the practice of planning how you will run your service or business unit processes when normal operating procedures are not possible.

﻿Building emergency action plan -- These plans are the agreed upon actions for fire, severe weather, medical and other emergencies that all staff who work in a building should be made aware of when tehy start employment (or when the plans change) as per the guidelines of the federal Occupational Safety and Health Administrations. Plans for many buildings at IU can be viewed on Box.

﻿Business function management – For the purposes of information security and privacy governance, Business Function Management is a Role Title, and is defined as those individuals assigned business management responsibilities for a unit or service. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)

C

﻿Campus community - All of the people (e.g., students, faculty, staff) or organizations that have aconnection to the university as it relates to academic, research, recreational, administrative, orother supportive functions.

﻿Campus Emergency Preparedness Certificate - A 100-hour program offered by IU Emergency Management and Continuity and University Human Resources. The skills and activities include things such as short online classes through the Department of Homeland Security, participation in campus emergency drills (active shooter, earthquake, etc.), on-campus classes, and individual skill development such as CPR/1st Aid certification and creating an emergency kit for the office. Learn more.

﻿To clear buildings/facilities - The practice used by law enforcement or other public safetypersonnel to systematically remove all personnel and any potential risks or threats from abuilding or facility.

﻿﻿Commercial activities - Commercial activities are defined as economic activities geared toward amass or specialized market and ordinarily intended to result in a profit, and that are not part ofone's university responsibilities. Commercial activities do not include the use of informationtechnology resources for one-time, minimal transactions, such as students using their IndianaUniversity email accounts to communicate with potential buyers for used textbooks or withpotential sub-lessees. This type of transaction is considered incidental personal use.

﻿Compliance officer - For the purposes of information security and privacy governance,Compliance Officer is a Role Title, and is defined as an individual who provides complianceoversight and/or coordination that includes information security and/or privacy, usually for aspecific information type, business sector, or business function. (Definitions and responsibilitiesfor this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles andResponsibilities.)

﻿Computer virus –A hidden, self-replicating section of computer software, usually malicious logic,that propagates by infecting – i.e. inserting a copy of itself into and becoming a part of anotherprogram. It cannot run by itself; it requires that its host program be run to make the virus active.

﻿Confidentiality – considers the effects of the inappropriate disclosure of the information.

﻿Contamination -The process of making something dirty, polluted, or poisonous by adding achemical, waste, or infection.

﻿Content owner - For the purposes of the Web Site Privacy Notices Policy, the content owner of auniversity web site is the functional person or group that owns and directs the content of a website. Typically, the content owner directs the site manager in the implementation of a web site.The content owner and site manager share responsibility for a web site and for adherence to thispolicy.

﻿Content-neutral information - Content-neutral information is information relating to theoperation of systems, including information relating to interactions between individuals andthose systems. Such information includes but is not limited to operating system logs (i.e., recordof actions or events related to the operation of a system or device), user login records (i.e., logsof usernames used to connect to university systems, noting source and date/time), dial-up logs(i.e., connections to university modems, noting source, date/time, and caller id), network activitylogs (i.e., connections attempted or completed to university systems, with source anddate/time), non-content network traffic (i.e., source/destination IP address, port, and protocol),email logs (i.e., logs indicating email sent or received by individuals using university email systems, noting sender, recipient, and date/time), account/system configuration information,and audit logs (i.e., records of actions taken on university systems, noting date/time).

﻿Criminal homicide - murder and non-negligent manslaughter: The willful (non-negligent)killing of one human being by another. (FBI’s UCR Program Definition)

﻿Criticality – This considers the importance of maintaining integrity and availability for businessoperations.

﻿Criminal homicide - manslaughter by negligence: The killing of another person through gross negligence. (FBI’s UCR Program Definition)

D

﻿﻿Data - Data are symbols or characters that represent raw facts or figures and form the basis ofinformation. Source: Glossary of Records and Information Management Terms, 3rd ed. ARMAInternational (2007) NOTE: For the purposes of the Indiana University Information Security andPrivacy Program, the terms data and information are used interchangeably, with a preference forthe use of the term information.

﻿Data Access Manager - For the purposes of information security and privacy governance, DataAccess Manager is a Role Title, and is defined as an individual who has been assigned to receive, evaluate, and authorize or deny requests for access to systems, applications, and/or databasescontaining information. These systems may be electronic or in paper form, for example, inpaper-based filing systems. (Definitions and responsibilities for this Role Title are in ISPP-25.1Standard: Information Security and Privacy Roles and Responsibilities.)

﻿Data Custodian - For the purposes of information security and privacy governance, DataCustodian is a Role Title, and is defined as a manager of systems containing information. Thesesystems may be in electronic or paper form, for example, in paper-based filing systems.(Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Securityand Privacy Roles and Responsibilities.)

﻿Data Steward - For the purposes of information security and privacy governance, Data Steward isa Role Title, and is defined as an individual who has been named to represent information,usually for a specific information type, business sector, or business function, for university-wideinformation governance purposes. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)

﻿Dating violence - Violence committed by a person who is or has been in a social relationshipof a romantic or intimate nature with the victim. The existence of such a relationship shall bedetermined based on the reporting party’s statement and with consideration of the lengthof the relationship, the type of relationship, and the frequency of interaction between thepersons involved in the relationship. (Clery Act definition)

﻿Department-Only Data - Any data that is not covered by the definition of Institutional Data. When a requested cloud solution does not include institutional data, the requester should follow normal procurement procedures. Depending upon the situation, these procedures may include involving IU Purchasing but will not involve a Third Party Security Assessment, review by the Data Steward, or a Privacy Notice review.

﻿Destruction/damage/vandalism of property: To willfully or maliciously destroy, damage, deface,or otherwise injure real or personal property without the consent of the owner or the personhaving custody or control of it.

﻿Disaster - An occurrence of a natural catastrophe, technological or human-caused incident thathas resulted in severe property damage, deaths, and/or multiple injuries. A disaster is a situationexceeding the response capability of a local jurisdiction and may necessitate the need andsubsequent request for resources from external sources such as state and federal governmentsor from mutual aid partners.

﻿Domain -Common areas of information security and privacy activities are grouped into twelvespecific domains. This domain grouping allows the use of common vocabulary and structure toidentify and track projects, actions, policies, tools, and other safeguards. The Indiana UniversitySecurity and Privacy Domains are adapted from the International Organization forStandardization and International Electrotechnical Commission (ISO/IEC) international standardISO/IEC 27002:2005 on Information Security Management.

﻿Domestic violence - A felony or misdemeanor crime of violence committed—(A) By a current orformer spouse or intimate partner of the victim; (B) By a person with whom the victim shares achild in common; (C) By a person who is cohabitating with, or has cohabitated with, the victim asa spouse or intimate partner;(D) By a person similarly situated to a spouse of the victim underthe domestic or family violence laws of the jurisdiction in which the crime of violence occurred,or By any other person against an adult or youth victim who is protected from that person’s actsunder the domestic or family violence laws of the jurisdiction in which the crim of violence occured. (Clery Act definition)﻿Drill - A coordinated, supervised activity usually employed to test a single, specific operation orfunction with a single entity (e.g., a fire department conducts a fire drill for a building).

﻿Drug abuse violations - The violation of laws prohibiting the production, distribution, and/oruse of certain controlled substances and the equipment or devices utilized in theirpreparation and/or use. The unlawful cultivation, manufacture, distribution, sale, purchase,use, possession, transportation, or importation of any controlled drug or narcotic substance.Arrests for violations of State and local laws, specifically those relating to the unlawfulpossession, sale, use, growing, manufacturing, and making of narcotic drugs. (FBI’s UCRProgram Definition)

E

﻿Emergency - Any incident, whether natural or human-caused, that requires responsive action toprotect life and property.

﻿ Encryption– Cryptographic transformation of data into a form that conceals the data’s originalmeaning to prevent it from being known or used. Itis the process of transforming information(referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyoneexcept those possessing special knowledge, usually referred to as a key.

﻿Engineering controls -Methods of controlling employee exposure to hazards by modifying thesource or reducing the quantity of contaminant released into the work environment.

﻿Ergonomics - The applied science of equipment design, as for the workplace, intended tomaximize productivity by reducing operator fatigue and discomfort.

﻿﻿Excessive use - Excessive use exists when a user or process has exceeded established limits placed on the service, or is consuming a resource to a level such that service to other users isdegraded, or where the actions of a user could cause degradation if the user is permitted tocontinue the practice or activity. Service managers, system administrators, and security andnetwork engineers must use experience and knowledge of normal service usage patterns inconsultation with the management of the unit owning the service or resource, and exercisejudgment in making decisions about excessive use.

﻿Executive Management - For the purposes of information security and privacy governance,Executive Management is a Role Title, and is defined as those individuals assigned executivemanagement responsibilities, typically with the titles of President, Vice President, andChancellor, and including Academic Deans. (Definitions and responsibilities for this Role Title arein ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)

﻿Extending the network - Excessive use exists when a user or process has exceeded establishedlimits placed on the service, or is consuming a resource to a level such that service to other usersis degraded, or where the actions of a user could cause degradation if the user is permitted tocontinue the practice or activity. Service managers, system administrators, and security andnetwork engineers must use experience and knowledge of normal service usage patterns inconsultation with the management of the unit owning the service or resource, and exercisejudgment in making decisions about excessive use.

﻿Evacuation - Organized, phased, and supervised withdrawal, dispersal, or removal of civiliansfrom dangerous or potentially dangerous areas and their reception and care in safe areas.

F

﻿﻿

﻿Fast-tracked Third Party Review process may apply in certain cloud solution acquisition situations and may not require a standard review. In these cases, the Purchasing department should be made aware of the acquisition and may be involved in establishing contractual agreements with appropriate data security language. Fast-tracked approvals do not require a security assessment, privacy/policy reviews or formal signoff from the data stewards. In all cases, standard procurement procedures should be followed.

Firewall - A firewall is a system designed to prevent unauthorized access to or from a privatenetwork. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connectedto the Internet, especially intranets. All messages entering or leaving the intranet (i.e., the localnetwork to which you are connected) must pass through the firewall, which examines eachmessage and blocks those that do not meet the specified security criteria.

﻿Fondling -The touching of the private body parts of another person for the purpose of sexualgratification, without the consent of the victim, including instances where the victim isincapable of giving consent because of his/her age or because of his/her temporary orpermanent mental incapacity. (From the National Incident-Based Reporting System (NIBRS)User Manual from the FBI’s UCR Program)

G

﻿﻿﻿Guideline - Guidelines are comprised of one or more general statements or recommendationsdetailing procedural or technology approaches to following or implementing policy. In contrastto procedures and standards, guidelines are not requirements to be met, although they arestrongly recommended. (See also Best Practice.)

H

﻿﻿Hate crime - A crime reported to local police agencies or to a campus security authority thatmanifests evidence that the victim was intentionally selected because of the perpetrator’s biasagainst the victim. (Clery Act definition)

﻿Health information - Any information created, maintained or received, via any communication orrecord retention format, by any entity such as a provider, insurance plan, employer, or universitythat identifies an individual and any services regarding their health care or health paymentsrelating to their past, present, or future health status.

I

﻿﻿Incidental personal use - Incidental personal use is the use of information technology resourcesby members of the Indiana University community in support of activities that do not relate totheir university employment or studies or to other activities involving and approved by theuniversity. Examples include use of email to send personal messages to friends, family, orcolleagues, including messages relating to one-time minimal sales or purchase transactions, anduse of the personal home page service to provide information about personal hobbies orinterests. If personal use adversely affects or conflicts with university operations or activities, theuser will be asked to cease those activities. All direct costs (for example, printer or copier paperand other supplies) attributed to personal incidental use must be assumed by the user.

﻿Incest -Sexual intercourse between persons who are related to each other within thedegrees wherein marriage is prohibited by law. (From the National Incident-Based ReportingSystem (NIBRS) User Manual from the FBI’s UCR Program)

﻿ Identity Theft - the fraudulent acquisition and use of a person's private identifying information,usually for financial gain.

﻿Indiana University property - Buildings, grounds, and land that are owned by Indiana Universityor controlled by Indiana University via leases or other formal contractual arrangements to houseongoing IU operations.

﻿Information - Information is data that has been given value through analysis, interpretation, orcompilation in a meaningful form. Source: Glossary of Records and Information ManagementTerms, 3rd ed. ARMA International (2007) (See also University information.) NOTE: For thepurposes of the Indiana University Information Security and Privacy Program, the terms data andinformation are used interchangeably, with a preference for the use of the term information.

﻿Information asset - An information asset is an item of value that contains information. Examplesinclude documents, spreadsheets, databases, and files. For the purposes of informationclassification, Data Stewards typically classify information elements. Then, other individualshandling information determine the classification of an information asset based on whatinformation elements are contained in the asset. (See also Information element.)

﻿Information element - An information element is a single or small piece of data or information.For the purposes of information classification, Data Stewards typically classify informationelements. Then, other individuals handling information determine the classification of aninformation asset based on what information elements are contained in the asset. (See alsoInformation asset.)

﻿ Information Security and Privacy Program - Indiana University's Information Security and PrivacyProgram outlines a university-wide approach to implementing andmanaging information and information technology security and privacy. It describes the university's philosophies, values, and approach to safeguarding information and informationtechnology.

﻿Information security program - An Information Security Program is a "methodical, programmaticapproach to implementing and managing security within an organization." Source: Robert B.Kvavik and John Voloudakis, Safeguarding the Tower: IT Security in Higher Education 2006(Boulder, CO: EDUCAUSE Center for Applied Research, 2006),http://connect.educause.edu/Library/Abstract/SafeguardingtheTowerITSec/41170, 94."

﻿Information system - A discrete set of information resources, procedures and/or techniques,organized or designed, for the classification, collection, accessing, use, processing, manipulation,maintenance, storage, retention, retrieval, display, sharing, disclosure, dissemination,transmission, or disposal of information. An information system can be as simple as a paper-based filing system or as complicated as a tiered electronic system.

﻿ Information technology governance - IT governance is defined as "the set of responsibilities andpractices exercised by the board and executive management with the goal of providing strategicdirection, ensuring that objectives are achieved, ascertaining that risks are managedappropriately and verifying that the enterprise's resources are used responsibly." Source: BoardBriefing on IT Governance, 2nd ed. (Rolling Meadows, IL: IT Governance Institute, 2003), http://www.coso.org/ic.htm

﻿Information technology resources - Information technology resources includes all university-owned computers, peripherals, and related equipment and software; voice communicationsinfrastructure, peripherals, and related equipment and software; data communicationsinfrastructure, peripherals, and related equipment and software; all other associated tools,instruments, and facilities; and the services that make use of any of these technology resources.The components may be individually controlled (i.e., assigned to an employee) or shared in asingle-user or multi-user manner; they may be stand-alone or networked; and they may bestationary or mobile.

﻿Institutional data (or information) - is data in any form, location, or unit that meets one or more of the following criteria:

It is subject to a legal obligation requiring the University to responsibly manage the data;

It is substantive and relevant to the planning, managing, operating, documenting, staffing or auditing of one or more major administrative functions or multiple organizational units of the university;

It is included in an official university report;

It is clinical data or research data that meets the definition of “University Work” under the Intellectual Property Policy UA-05; or

It is used to derive any data element that meets the above criteria.

﻿Intimidation - To unlawfully place another person in reasonable fear of bodily harm through theuse of threatening words and/or other conduct, but without displaying a weapon or subjectingthe victim to actual physical attack. (From the Hate Crime Data Collection Guidelines andTraining Manual from the FBI’s UCR Program.)IP address spaces - IP address spaces in this context means blocks of IP addresses assigned toIndiana University by Internet addressing authorities.

﻿ IU-Notify - A collective system used by Indiana University, which integrates a variety of methodsto provide emergency and safety information, including sirens, public address, Web pages,building stewards, residence hall assistants, broadcast and electronic media, and a consolidatedcommunications system. The IU-Notify project was designed to consolidate IU's communicationssystems to enhance the university's ability to effectively transmit critical incident information.

J

﻿﻿Job hazard assessment -An assessment of hazards in the workplace, evaluating the nature of thehazard, the probability of an accident or exposure, and the consequences of the event.

﻿Jurisdiction - in which the crime of violence occurred. (Clery Act definition)

﻿Layer-2 device - Layer-2 devices function at the data link layer of the Open SystemsInterconnection Basic Reference Model. Typically these are Ethernet devices such as hubs,switches, repeaters, and WAPs. These devices are often used to provide network connectivity tomultiple machines in the same room using a single data jack.

﻿Layer-3 device - Layer-3 devices function at the network layer of the Open SystemsInterconnection Basic Reference Model. Typically these are IP devices such as firewalls, NATs,and packet-filtering routers that isolate or conceal other devices from the rest of the network.

﻿Liquor law violations - The violation of state or local laws or ordinances prohibiting themanufacture, sale, purchase, transportation, possession, or use of alcoholic beverages, notincluding driving under the influence and drunkenness. (FBI’s UCR Program Definition)

﻿Lock-down - This term is rarely used in emergency notices at IU because of its difficulty to implement. It generally refers to a temporary “sheltering-in-place” technique used to limit exposure to anapparent life-threatening, hostile or hazardous situation or threat. When a lockdown is declaredby administrative officials, occupants of any building within the impacted area are to remain intheir respective spaces locking all doors and windows, not allowing entry or exit to a securedarea until the “all clear” confirmation has been given.

Lock-down v. shelter-in-place

The term "lock-down" often is mistakenly used interchangeably with "shelter-in-place" but rarely is used during emergency communications at IU. Both are terms to describe efforts to hide to evade harm from a hostile intruder or other threat. See the full definition for shelter-in-place

﻿Lockout -The placement of a lockout device on an energy isolating device, in accordance with anestablished procedure, ensuring that the energy isolating device and the equipment beingcontrolled cannot be operated until the lockout device is removed.

﻿Lockout device -A device that utilizes a positive means such as a lock, either key or combinationtype, to hold an energy isolating device in the safe position and prevent the energizing of amachine or equipment. Included are blank flanges and bolted slip blinds.

M

﻿﻿Misuse or abuse - Misuse or abuse are uses of Indiana University information technologyresources that violate existing laws or university policies and procedures (including but notlimited to University Information Technology Policies; the Code of Student Rights,Responsibilities, and Conduct; the Academic Handbook; University Human Resources Policies;and University Financial Policies), or that otherwise violate generally accepted ethical norms andprinciples. Misuse or abuse also includes the sharing or transferring of an individual's universityaccounts, including network ID, password, or other access codes that allow them to gain accessto university information technology resources, with one or more other persons.

﻿Mitigation/prevention - Those actions taken to decrease impacts and to reduce or eliminate theloss of life and property damage related to crisis or emergency incidents.

N

﻿﻿Network Address Translation (NAT) device - NAT devices rewrite the IP header of a packettraversing the device, changing the IP source and/or destination addresses. They also change thelayer-2, or MAC address, to that of the NAT device. Often the result is to present multipledevices behind a NAT as if they were a single device.

﻿Normal Procurement Procedures - May include the process of competitive bidding, review, approval, and negotiation of contract language prior to signature of any binding contract per the appropriate and authorized signature policies. Additional policy and contact information can be found here.

﻿Notification - Information distributed to relevant personnel that contains important informationregarding an actual or potential hazard impact and the response status of the organization.

O

﻿ OWASP (Open Web Application Security Project) –According to Wikipedia,the Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitableorganization focused on improving the security of software. Its mission is to make softwaresecurity visible, so that individuals and organizationsworldwide can make informed decisionsabout true software security risks.

﻿﻿Owner - The term "owner" identifies an individual or entity that has approved managementresponsibility for controlling the production, development, maintenance, use and security of theinformation or information technology assets. The term "owner" does not necessarily mean thatthe person or entity actually has any property rights to the asset.

P

﻿ Passphrase - A passphrase is simply a different way of thinking about a much longer password. Dictionary words and names are no longer restricted. In fact, one of the very few restrictions is the length - 15 characters. Your passphrase can be a favorite song lyric, quote from a book, magazine, or movie, or something your kids said last week. It's really that easy.

﻿﻿Passive collection- For the purposes of the Web Site Privacy Notices Policy, passive collection refers to the automatic gathering of information from visitors as they migrate or navigate from page to page on a web site or series of sites, such as via server logs or cookies.

﻿ Peer-to-peer (P2P) file-sharing- Peer-to-peer (P2P) file-sharing allows users to share files online through an informal network of computers running the same software. File-sharing can give you access to a wealth of information, but it also has a number of risks. You could downloadcopyright-protected material, pornography, or viruses without meaning to. Or you couldmistakenly allow other people to copy files you don't mean to share.

﻿Personally Identifiable Information (PII) - Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. (As used in the NIST standards and according to the United States Government Accountability Office.)

﻿Personal private gain - Personal private gain is defined as securing profit or reward for anindividual in his or her personal capacity, that is not otherwise permitted by this policy.

﻿ PIC –Programs Involving Children. Any program that involves minors under 18 must comply withIndiana University Programs Involving Children (“PIC”) Policy. A program is considered a PICwhen it targets minors. A program in not considered a PIC when children are present, but themain purpose of the program was not to attract children (such as Auditorium shows, or anathletic event). Additionally, this policy does not apply to student registered at IU who are under18.

﻿Policy, Information - An information or information technology policy is an agreed upon, formal, high-levelstatement that describes the university's philosophy, values, and/or direction for a specifiedsubject area. Policies tend to be fairly brief and focus on guiding principles (i.e. the "why ") ratherthan on technical or process details (i.e. the "how "). The purpose of policies is to guide presentand future decisions so that they are in agreement with university goals and objectives.University-level information and information technology policies are developed and approvedusing a formal process. Because policies are official institutional statements, compliance withpolicies is non-optional and failure to follow policies may result in sanctions imposed by theappropriate university office. Policies are not procedures (although many policy documents havea procedures section), standards, guidelines or best practices. These other, more detaileddocuments flow from and support policies.

﻿Position paper - A position paper is a concise, practical document that focuses on a specifictechnology or issue (often new or not yet widely used or encountered within the university) andexpresses the professional opinion of the University Information Policy Office or UniversityInformation Security office on its use within or effect on the university.

﻿Pre-existing Contracted Solutions - Are known by the IU Purchasing Department. Contact that office to see if there are existing enterprise level contracts in place that will meet your needs.

﻿Principle of least privilege - The principle of least privilege (PoLP; also known as the principle ofleast authority) is an important concept in computer security, promoting minimal user profileprivileges on computers, based on users' job necessities. It can also be applied to processes onthe computer; each system component or process should have the least authority necessary toperform its duties. This helps reduce the "attack surface" of the computer by eliminatingunnecessary privileges that can result in network exploits and computer compromises. You canapply this principle to the computers you work on by normally operating without administrativerights.

﻿Privacy - Privacy is defined as the rights and obligations of individuals and organizations withrespect to the collection, use, retention, and disclosure of personal information. Source:Generally Accepted Privacy Principles: A Global Privacy Framework ([Durham, NC?]: AmericanInstitute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants,2006), http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/, 4."﻿Private IP address - Private IP addresses are local network addresses that are not routed to theInternet, so that connections to them from other devices on the Internet are not possible. Themost common private IP address blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 asdefined by RFC 1918.﻿Procedure - Procedures (like standards) support policy by further describing specificimplementation details (i.e. the "how"). A procedure can be thought of as an extension of apolicy that articulates the process to be used in carrying out/complying with the policy. Aprocedure may describe a series of steps, or how to use standards and guidelines to achieve thegoals of a policy. Procedures, along with standards, promote a consistent approach to followingpolicy. Procedures make policies more practically meaningful and effective. Procedures overlapwith standards although procedures tend to be more process oriented while standards tend to be more focused on requirements or specifications. Because procedures directly support policies, compliance with procedures is non-optional and failure to follow procedures may result in sanctions imposed by the appropriate university office.

﻿Programs- The term “program” is used in the Programs Involving Children policy to include ongoing or planned events that are designed to include children such as camps, lessons, workshops, clubs, teams, projects, practices, tours, or open-houses, research activities, recruiting activities, clinical settings.

﻿Public information officer (PIO) - The acronym PIO is frequently used by the media and organizations or agencies to describe the person authorized to discuss or provide information and updates to the media and general public.

﻿Public IP addresses - Public IP addresses are local network addresses that are routed to the Internet, so that connections to them from other devices on the Internet are allowed.

Q

R

﻿

﻿Ransomware - A type of malicious software which blocks access to a computer system or encrypts digital files so no one can access it/them without paying a fee. The malicious software displays a message about how the user can supposedly regain access to his/her system/files by paying a ransom. There is no guarantee paying the ransom will allow the user to regain access to those files.

﻿Rape - The penetration, no matter how slight, of the vagina or anus with any body part or object, or oral penetration by a sex organ of another person, without the consent of the victim. (FBI’s UCR Program Definition)

﻿Recovery - The phase of Comprehensive Emergency Management that encompasses activities and programs implemented during and after response that are designed to return the entity to its usual state or to a “new normal”.

﻿Regional campus Chief Information Officer - The primary responsibility of a regional campus Chief Information Officer is the development and use of information technology in support of the campus' vision for excellence in research, teaching, outreach, and lifelong learning. He or she is also responsible for disseminating information to the campus, coordinating activities that involve more than one campus, fostering cooperation in areas such as sharing technical expertise and training, and problem coordination and resolution for their own campus information technology issues.

﻿Related Third Party - For the purposes of information security and privacy governance, Related Third Party is a Role Title, and is defined as an organization, contractor, vendor, or consultant with whom Indiana University establishes relationships or contracts to perform a service for or on behalf of the university. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)

﻿Remote access service - Remote access services are defined as any mechanisms that allow a machine outside of the physical university data network to appear as though it is part of the Indiana University network. Typically this involves creating a link over either the data network or a phone line and assigning an Indiana University IP address to the remote machine.

﻿Role title– A generic information security and privacy role title is given to a set of high-level, general responsibilities. An individual may then be assigned to a role title, so that he or she understands what functions to perform.

﻿Response - Immediate actions to save and sustain lives, protect property and the environment, and meet basic human needs. Response also includes the execution of plans and actions to support short-term recovery.

﻿Robbery - The taking or attempting to take anything of value from the care, custody, or control of a person or persons by force or threat of force or violence and/or by putting the victim in fear. (FBI’s UCR Program Definition)

S

﻿Safe/secure shelter - A designation location or area within a campus facility, which offers the best protection from an emergency or crisis situation.

﻿ Safeguards– they are the administration (e.g. policies, procedures), technical, and physical measures put in place to protect information.

﻿Screen lock - Make a habit of locking your computer every time you leave it, so when you are ready to use it again it asks you for your password to log in. This will prevent someone from sneaking on to your computer and stealing files.

﻿Security incident - The attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Security incident also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents, misrouting of mail, or compromise of physical security, all of which may have the potential to put the data at risk of unauthorized access, use, disclosure, modification or destruction.

﻿ Secure Shell (SSH) – also known as slogin. SSH lets a user connect from one computer to another over a network and execute commands, transfer files, or get a command prompt. It uses strong cryptography to protect the data in transit and also to authenticate both the user and the server. SSH serves as a drop-in replacement for TELNET, FTP, rlogin, rsh, and rcp, none of which use strong cryptography by default. SSH consists of both a client program, Ssh, which the user runs directly, and a server program, sshd, that handles incoming requests on the server.

﻿Severe/hazardous weather - Instances of extreme weather or hydrological events associated with such events as severe local storms; winter storms; fire weather; flooding; coastal/lakeshore hazards; marine hazards; and other hazards including but not limited to extreme temperatures, dense fog, high winds, fog, river flooding, and lakeshore flooding.

﻿Shelter-in-place - The practice of selecting an interior room or rooms within a facility, or ones with no or few windows, and taking refuge there until an “all-clear” is given.

﻿Site manager - For the purposes of the Website Privacy Notices Policy, the site manager of a university web site is the person or group that technically implements the wishes and publishes the content of the content owner. Typically, the site manager follows the direction of the content owner. The site manager and content owner share responsibility for a web site and for adherence to this policy.

﻿Social engineering - In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking or manipulating other people to divulge confidential information or break normal security procedures.

﻿Standard - Standards (like procedures) support policy by further describing specific implementation details (i.e. the "how"). A standard can be thought of as an extension of policy that articulates the rules, mechanisms, technical or procedural requirements or specifications to be used in carrying out/complying with policy. Standards, along with procedures, promote a consistent approach to following policy. Standards make policies more practically meaningful and effective. Standards are definitional and clarifying in nature specifying the minimums necessary to meet policy objectives. Because standards directly support policies, compliance with standards is non-optional and failure to follow standards may result in sanctions imposed by the appropriate university office.

﻿Standard Third Party Review and Approval Process – This process requires proper documentation be submitted along with the initial request (i.e. business case, identification of the executive sponsor, resource management plan identifying adequate functional and technical resources, etc.), the completion of a security assessment, a Privacy Notice review, final approval from the Data Stewards, purchasing contracts and other appropriate reviews for web accessibility, programs involving children, etc.. This process may take significant time and departments should plan accordingly. Any purchase of goods or services must comply with University Procurement Services policies and procedures.

﻿Standard threshold shift (STS): A change in hearing threshold relative to the baseline audiogram of an average of 10 dB or more at 2000, 3000, and 4000 Hz in either ear.

﻿Stalking - Engaging in a course of conduct directed at a specific person that would cause a reasonable person to—(A) Fear for the person’s safety or the safety of others; or (B) Suffer substantial emotional distress.

﻿Statutory rape - Sexual intercourse with a person who is under the statutory age of consent. (From the National Incident-Based Reporting System (NIBRS) User Manual from the FBI’s UCR Program)

﻿Sweep (buildings/facilities)- The practice used by law enforcement or other public safety personnel to systematically determine potential risks or threats in a building or facility that remains occupied as a result of emergency or crisis situation.

T

﻿Tagout - The placement of a tagout device on an energy isolating device, in accordance with an established procedure, to indicate that the energy isolating device and the equipment being controlled may not be operated until the tagout device is removed.

﻿Technician – For the purposes of information security and privacy governance, Technician is a Role Title, and is defined as an individual who applies security and privacy principles, policies, standards, guidelines, and procedures to technologies that contain, transport, or otherwise handle information. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)

﻿Technology Management - For the purposes of information security and privacy governance, Technology Management is a Role Title, and is defined as those individuals assigned technology management/director responsibilities for a unit or service. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)

﻿Time weighted average (TWA): Average exposure over a specified period of time.

﻿ Tornado - A violently rotating storm of small diameter; the most violent weather phenomenon. It is produced in a very severe thunderstorm and appears as a funnel cloud extending from the base of a Cumulonimbus to the ground. More about tornadoes and severe weather

U

﻿University Chief Information Officer - University Chief Information Officer: The primary responsibility of the University Chief Information Officer is the development and use of information technology in support of the university's vision for excellence in research, teaching, outreach, and lifelong learning. The University Information Policy Office (UIPO) represents the University Chief Information Officer (CIO) with respect to policy issues related to the IU Bloomington and IUPUI campuses.﻿

﻿﻿University Information - For information security and privacy purposes, university information consists of data and information that are created, received, or maintained by the university in the course of carrying out its mission. NOTE: For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information will be used interchangeably, with a preference for the use of the term information.

﻿Universal precautions – An approach to infection control that treats all blood and other potentially infectious materials as if known to be infectious for HIV, hepatitis B, and other bloodborne pathogens. This approach includes the use of barrier precautions by employees to prevent direct skin, parenteral, or mucus membrane contact with blood or other body fluids that are visibly contaminated with blood.

﻿University Websites - These sites are created or maintained either by or for academic, administrative, or auxiliary units of Indiana University, regardless of whether or not the sites are hosted on university servers or external servers. This includes Websites of professional associations and publications that are formally hosted, maintained and operated by faculty or staff of the university.

﻿User - For the purposes of information security and privacy governance, User is a Role Title, and is defined as an individual who interacts with information. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)

V

﻿Visitor - For the purposes of the Website Privacy Notice Policy, a visitor to a Website is anyone viewing or entering information, regardless of affiliation or origination of the connection.

W

﻿Warning- A weather condition where the formation of extreme or severe weather is imminent or has been sighted in the immediate area.

Weather warning v. watch

A weather warning signals imminent severe weather and the possible need for immediate action for safety. A weather watch indicates the possibility of extreme or severe weather. Learn more

﻿Watch- A weather condition where there is the possibility of extreme or severe weather forming.

﻿Wireless network - A wireless network is a telecommunications network whose interconnections between nodes are achieved using electromagnetic waves such as radio waves instead of wire or fiber optic cable. Wireless networking equipment includes devices used to set up a wireless network such as wireless hubs, routers, and access points.